[squid-users] RES: RES: New Squid Server 3.5.20 on Centos 7 - Trying to redirect local web access to Port 80 on Linux Servers with iptables to Squid Server with http_port intercept
Rogerio Coelho
rogerio.coelho at gruporbs.com.br
Wed May 24 21:24:28 UTC 2017
Hi Amos,
I do not know if i send with success the third email with this info. I will try again.
Using intercept mode with 3129 port :
[root at prd-rbs-squid01-poa squid]# cat /etc/squid/squid.conf | egrep -v "^#|^$"
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
…
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_port 3128
http_port 3129 intercept
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
[root at prd-rbs-squid01-poa squid]#
[root at prd-rbs-squid01-poa ~]# systemctl restart squid
[root at prd-rbs-squid01-poa squid]# systemctl start squid
[root at prd-rbs-squid01-poa squid]# cat cache.log
2017/05/18 15:22:29 kid1| Set Current Directory to /var/spool/squid
2017/05/18 15:22:29 kid1| Starting Squid Cache version 3.5.20 for x86_64-redhat-linux-gnu...
2017/05/18 15:22:29 kid1| Service Name: squid
2017/05/18 15:22:29 kid1| Process ID 6592
2017/05/18 15:22:29 kid1| Process Roles: worker
2017/05/18 15:22:29 kid1| With 16384 file descriptors available
2017/05/18 15:22:29 kid1| Initializing IP Cache...
2017/05/18 15:22:29 kid1| DNS Socket created at [::], FD 6
2017/05/18 15:22:29 kid1| DNS Socket created at 0.0.0.0, FD 8
2017/05/18 15:22:29 kid1| Adding domain RBS.NET from /etc/resolv.conf
2017/05/18 15:22:29 kid1| Adding domain rbs.com.br from /etc/resolv.conf
2017/05/18 15:22:29 kid1| Adding nameserver 10.236.68.62 from /etc/resolv.conf
2017/05/18 15:22:29 kid1| Adding nameserver 10.1.1.40 from /etc/resolv.conf
2017/05/18 15:22:29 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2017/05/18 15:22:29 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2017/05/18 15:22:29 kid1| Unlinkd pipe opened on FD 14
2017/05/18 15:22:29 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/05/18 15:22:29 kid1| Store logging disabled
2017/05/18 15:22:29 kid1| Swap maxSize 102400 + 262144 KB, estimated 28041 objects
2017/05/18 15:22:29 kid1| Target number of buckets: 1402
2017/05/18 15:22:29 kid1| Using 8192 Store buckets
2017/05/18 15:22:29 kid1| Max Mem size: 262144 KB
2017/05/18 15:22:29 kid1| Max Swap size: 102400 KB
2017/05/18 15:22:29 kid1| Rebuilding storage in /var/spool/squid (dirty log)
2017/05/18 15:22:29 kid1| Using Least Load store dir selection
2017/05/18 15:22:29 kid1| Set Current Directory to /var/spool/squid
2017/05/18 15:22:29 kid1| Finished loading MIME types and icons.
2017/05/18 15:22:29 kid1| HTCP Disabled.
2017/05/18 15:22:29 kid1| Squid plugin modules loaded: 0
2017/05/18 15:22:29 kid1| Adaptation support is off.
2017/05/18 15:22:29 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 17 flags=9
2017/05/18 15:22:29 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3129 remote=[::] FD 18 flags=41
2017/05/18 15:22:29 kid1| Done reading /var/spool/squid swaplog (3 entries)
2017/05/18 15:22:29 kid1| Finished rebuilding storage from disk.
2017/05/18 15:22:29 kid1| 2 Entries scanned
2017/05/18 15:22:29 kid1| 0 Invalid entries.
2017/05/18 15:22:29 kid1| 0 With invalid flags.
2017/05/18 15:22:29 kid1| 1 Objects loaded.
2017/05/18 15:22:29 kid1| 0 Objects expired.
2017/05/18 15:22:29 kid1| 0 Objects cancelled.
2017/05/18 15:22:29 kid1| 0 Duplicate URLs purged.
2017/05/18 15:22:29 kid1| 1 Swapfile clashes avoided.
2017/05/18 15:22:29 kid1| Took 0.01 seconds ( 91.36 objects/sec).
2017/05/18 15:22:29 kid1| Beginning Validation Procedure
2017/05/18 15:22:29 kid1| Completed Validation Procedure
2017/05/18 15:22:29 kid1| Validated 1 Entries
2017/05/18 15:22:29 kid1| store_swap_size = 12.00 KB
2017/05/18 15:22:30 kid1| storeLateRelease: released 0 objects
[root at prd-rbs-squid01-poa squid]# netstat -nap | grep -i squid
tcp6 0 0 :::3128 :::* LISTEN 6592/(squid-1)
tcp6 0 0 :::3129 :::* LISTEN 6592/(squid-1)
udp 0 0 0.0.0.0:50868 0.0.0.0:* 6592/(squid-1)
udp6 0 0 :::55754 :::* 6592/(squid-1)
unix 3 [ ] STREAM CONNECTED 73819 6592/(squid-1)
unix 2 [ ] DGRAM 72824 6590/squid
[root at prd-rbs-squid01-poa squid]#
[root at prd-rbs-squid02-poa ~]# /mnt/bin/Linux/proxy3520_3129.sh
…
[root at prd-rbs-squid02-poa ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 27 packets, 1754 bytes)
…
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 4 packets, 240 bytes)
…
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
…
pkts bytes target prot opt in out source destination
0 0 PROXYSQUID tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 PROXYSQUID tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
…
pkts bytes target prot opt in out source destination
Chain PROXYSQUID (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 189.76.144.0/20
0 0 RETURN all -- * * 0.0.0.0/0 189.76.156.190
0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12
0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 to:10.240.64.11:3129
[root at prd-rbs-squid02-poa ~]# rm zabbix-release-3.0-1.el7.noarch.rpm*
rm: remove regular file ‘zabbix-release-3.0-1.el7.noarch.rpm’? y
rm: remove regular file ‘zabbix-release-3.0-1.el7.noarch.rpm.1’? y
rm: remove regular file ‘zabbix-release-3.0-1.el7.noarch.rpm.2’? y
rm: remove regular file ‘zabbix-release-3.0-1.el7.noarch.rpm.3’? y
…
[root at prd-rbs-squid02-poa ~]# wget http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm -e use_proxy=yes -e http_proxy=10.240.64.11:3128
--2017-05-18 15:23:57-- http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
…
Connecting to 10.240.64.11:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 11416 (11K) [application/x-redhat-package-manager]
Saving to: ‘zabbix-release-3.0-1.el7.noarch.rpm’
100%[=======================================================================================================================================>] 11,416 --.-K/s in 0s
2017-05-18 15:23:58 (194 MB/s) - ‘zabbix-release-3.0-1.el7.noarch.rpm’ saved [11416/11416]
…
[root at prd-rbs-squid02-poa ~]# wget http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
--2017-05-18 15:24:16-- http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
…
Resolving repo.zabbix.com (repo.zabbix.com)... 162.243.159.138
Connecting to repo.zabbix.com (repo.zabbix.com)|162.243.159.138|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-05-18 15:24:16 ERROR 403: Forbidden.
…
[root at prd-rbs-squid02-poa ~]# curl -v http://www.google.com
* About to connect() to www.google.com port 80 (#0)
* Trying 216.58.222.68...
* Connected to www.google.com (216.58.222.68) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.google.com
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: squid/3.5.20
< Mime-Version: 1.0
< Date: Thu, 18 May 2017 18:24:23 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3707
< X-Squid-Error: ERR_ACCESS_DENIED 0
…
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from prd-rbs-squid01-poa.rbs.com.br
< X-Cache-Lookup: MISS from prd-rbs-squid01-poa.rbs.com.br:3128
< X-Cache: MISS from prd-rbs-squid01-poa.rbs.com.br
< X-Cache-Lookup: MISS from prd-rbs-squid01-poa.rbs.com.br:3128
< Via: 1.1 prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20), 1.1 prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20)
< Connection: keep-alive
…
</head><body id=ERR_ACCESS_DENIED>
…
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="http://www.google.com/">http://www.google.com/</a></p>
<blockquote id="error">
<p><b>Access Denied.</b></p>
</blockquote>
<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>
<p>Your cache administrator is <a href="mailto:root?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&body=CacheHost%3A%20prd-rbs-squid01-poa.rbs.com.br%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Thu,%2018%20May%202017%2018%3A24%3A23%20GMT%0D%0A%0D%0AClientIP%3A%2010.240.64.11%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20curl%2F7.29.0%0D%0AAccept%3A%20*%2F*%0D%0AVia%3A%201.1%20prd-rbs-squid01-poa.rbs.com.br%20(squid%2F3.5.20)%0D%0AX-Forwarded-For%3A%2010.240.64.12%0D%0ACache-Control%3A%20max-age%3D259200%0D%0AConnection%3A%20keep-alive%0D%0AHost%3A%20www.google.com%0D%0A%0D%0A%0D%0A">root</a>.</p>
…
<br>
</div>
<hr>
<div id="footer">
<p>Generated Thu, 18 May 2017 18:24:23 GMT by prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20)</p>
<!-- ERR_ACCESS_DENIED -->
</div>
</body></html>
…
* Connection #0 to host www.google.com left intact
[root at prd-rbs-squid02-poa ~]#
…
[root at prd-rbs-squid02-poa ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 238 packets, 21830 bytes)
…
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 48 packets, 4956 bytes)
…
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 257 bytes)
…
pkts bytes target prot opt in out source destination
2 120 PROXYSQUID tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
…
0 0 PROXYSQUID tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain POSTROUTING (policy ACCEPT 6 packets, 377 bytes)
…
pkts bytes target prot opt in out source destination
Chain PROXYSQUID (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 189.76.144.0/20
0 0 RETURN all -- * * 0.0.0.0/0 189.76.156.190
0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12
0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8
2 120 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 to:10.240.64.11:3129
[root at prd-rbs-squid02-poa ~]#
[root at prd-rbs-squid01-poa squid]# tail -f /var/log/squid/access.log
1495131838.333 470 10.240.64.12 TCP_SWAPFAIL_MISS/200 11868 GET http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - HIER_DIRECT/162.243.159.138 application/x-redhat-package-manager
1495131856.340 0 10.240.64.11 TCP_MISS/403 4352 GET http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - HIER_NONE/- text/html
1495131856.340 0 10.240.64.12 TCP_MISS/403 4517 GET http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - ORIGINAL_DST/10.240.64.11 text/html
1495131863.177 0 10.240.64.11 TCP_MISS/403 4147 GET http://www.google.com/ - HIER_NONE/- text/html
1495131863.177 3 10.240.64.12 TCP_MISS/403 4312 GET http://www.google.com/ - ORIGINAL_DST/10.240.64.11 text/html
When i add iptables nat rules on Squid Server i get Service Unavailable / ERR_CONNECT_FAIL 111 .
[root at prd-rbs-squid01-poa ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 11682 packets, 1002K bytes)
…
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 2631 packets, 243K bytes)
…
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 150 packets, 11353 bytes)
…
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 150 packets, 11353 bytes)
…
pkts bytes target prot opt in out source destination
[root at prd-rbs-squid01-poa ~]# cat /root/squid.sh
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/conf/default/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route
iptables -F -t nat
iptables -X -t nat
# your proxy IP
SQUIDIP=10.240.64.11
# your proxy listening port
SQUIDPORT=3129
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
[root at prd-rbs-squid01-poa ~]# /root/squid.sh
[root at prd-rbs-squid01-poa ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 13 packets, 1777 bytes)
…
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.240.64.11 0.0.0.0/0 tcp dpt:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.240.64.11:3129
Chain INPUT (policy ACCEPT 6 packets, 885 bytes)
…
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
[root at prd-rbs-squid01-poa ~]# netstat -nap | grep -i squid
tcp6 0 0 :::3128 :::* LISTEN 6592/(squid-1)
tcp6 0 0 :::3129 :::* LISTEN 6592/(squid-1)
udp 0 0 0.0.0.0:50868 0.0.0.0:* 6592/(squid-1)
udp6 0 0 :::55754 :::* 6592/(squid-1)
unix 3 [ ] STREAM CONNECTED 73819 6592/(squid-1)
unix 2 [ ] DGRAM 72824 6590/squid
[root at prd-rbs-squid01-poa ~]# systemctl stop squid
[root at prd-rbs-squid01-poa ~]# rm /var/log/squid/* -f
…
[root at prd-rbs-squid01-poa ~]# systemctl start squid
[root at prd-rbs-squid01-poa ~]# cat /var/log/squid/cache.log
2017/05/18 15:34:48 kid1| Set Current Directory to /var/spool/squid
2017/05/18 15:34:48 kid1| Starting Squid Cache version 3.5.20 for x86_64-redhat-linux-gnu...
2017/05/18 15:34:48 kid1| Service Name: squid
2017/05/18 15:34:48 kid1| Process ID 8435
2017/05/18 15:34:48 kid1| Process Roles: worker
2017/05/18 15:34:48 kid1| With 16384 file descriptors available
2017/05/18 15:34:48 kid1| Initializing IP Cache...
2017/05/18 15:34:48 kid1| DNS Socket created at [::], FD 6
2017/05/18 15:34:48 kid1| DNS Socket created at 0.0.0.0, FD 8
2017/05/18 15:34:48 kid1| Adding domain RBS.NET from /etc/resolv.conf
2017/05/18 15:34:48 kid1| Adding domain rbs.com.br from /etc/resolv.conf
2017/05/18 15:34:48 kid1| Adding nameserver 10.236.68.62 from /etc/resolv.conf
2017/05/18 15:34:48 kid1| Adding nameserver 10.1.1.40 from /etc/resolv.conf
2017/05/18 15:34:48 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2017/05/18 15:34:48 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2017/05/18 15:34:48 kid1| Unlinkd pipe opened on FD 14
2017/05/18 15:34:48 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/05/18 15:34:48 kid1| Store logging disabled
2017/05/18 15:34:48 kid1| Swap maxSize 102400 + 262144 KB, estimated 28041 objects
2017/05/18 15:34:48 kid1| Target number of buckets: 1402
2017/05/18 15:34:48 kid1| Using 8192 Store buckets
2017/05/18 15:34:48 kid1| Max Mem size: 262144 KB
2017/05/18 15:34:48 kid1| Max Swap size: 102400 KB
2017/05/18 15:34:48 kid1| Rebuilding storage in /var/spool/squid (dirty log)
2017/05/18 15:34:48 kid1| Using Least Load store dir selection
2017/05/18 15:34:48 kid1| Set Current Directory to /var/spool/squid
2017/05/18 15:34:48 kid1| Finished loading MIME types and icons.
2017/05/18 15:34:48 kid1| HTCP Disabled.
2017/05/18 15:34:48 kid1| Squid plugin modules loaded: 0
2017/05/18 15:34:48 kid1| Adaptation support is off.
2017/05/18 15:34:48 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 17 flags=9
2017/05/18 15:34:48 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3129 remote=[::] FD 18 flags=41
2017/05/18 15:34:48 kid1| Done reading /var/spool/squid swaplog (4 entries)
2017/05/18 15:34:48 kid1| Finished rebuilding storage from disk.
2017/05/18 15:34:48 kid1| 2 Entries scanned
2017/05/18 15:34:48 kid1| 0 Invalid entries.
2017/05/18 15:34:48 kid1| 0 With invalid flags.
2017/05/18 15:34:48 kid1| 1 Objects loaded.
2017/05/18 15:34:48 kid1| 0 Objects expired.
2017/05/18 15:34:48 kid1| 0 Objects cancelled.
2017/05/18 15:34:48 kid1| 0 Duplicate URLs purged.
2017/05/18 15:34:48 kid1| 1 Swapfile clashes avoided.
2017/05/18 15:34:48 kid1| Took 0.01 seconds ( 91.74 objects/sec).
2017/05/18 15:34:48 kid1| Beginning Validation Procedure
2017/05/18 15:34:48 kid1| Completed Validation Procedure
2017/05/18 15:34:48 kid1| Validated 1 Entries
2017/05/18 15:34:48 kid1| store_swap_size = 12.00 KB
2017/05/18 15:34:49 kid1| storeLateRelease: released 0 objects
[root at prd-rbs-squid02-poa ~]# /mnt/bin/Linux/proxy3520_80.sh
…
[root at prd-rbs-squid02-poa ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 8 packets, 594 bytes)
…
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
…
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
…
pkts bytes target prot opt in out source destination
0 0 PROXYSQUID tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 PROXYSQUID tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
…
pkts bytes target prot opt in out source destination
Chain PROXYSQUID (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 189.76.144.0/20
0 0 RETURN all -- * * 0.0.0.0/0 189.76.156.190
0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12
0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 to:10.240.64.11:80
…
[root at prd-rbs-squid02-poa ~]# wget http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm -e use_proxy=yes -e http_proxy=10.240.64.11:3128
--2017-05-18 15:35:16-- http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
…
Connecting to 10.240.64.11:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 11416 (11K) [application/x-redhat-package-manager]
Saving to: ‘zabbix-release-3.0-1.el7.noarch.rpm.1’
…
100%[=======================================================================================================================================>] 11,416 --.-K/s in 0s
2017-05-18 15:35:16 (193 MB/s) - ‘zabbix-release-3.0-1.el7.noarch.rpm.1’ saved [11416/11416]
…
[root at prd-rbs-squid02-poa ~]# wget http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
--2017-05-18 15:35:25-- http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
…
Resolving repo.zabbix.com (repo.zabbix.com)... 162.243.159.138
Connecting to repo.zabbix.com (repo.zabbix.com)|162.243.159.138|:80... connected.
HTTP request sent, awaiting response... 503 Service Unavailable
2017-05-18 15:35:25 ERROR 503: Service Unavailable.
…
[root at prd-rbs-squid02-poa ~]# curl -v http://www.google.com
* About to connect() to www.google.com port 80 (#0)
* Trying 216.58.222.68...
* Connected to www.google.com (216.58.222.68) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.google.com
> Accept: */*
>
< HTTP/1.1 503 Service Unavailable
< Server: squid/3.5.20
< Mime-Version: 1.0
< Date: Thu, 18 May 2017 18:35:42 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3586
< X-Squid-Error: ERR_CONNECT_FAIL 111
…
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from prd-rbs-squid01-poa.rbs.com.br
< X-Cache-Lookup: MISS from prd-rbs-squid01-poa.rbs.com.br:3128
< Via: 1.1 prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20)
< Connection: keep-alive
…
<
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2016 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" CONTENT="text/html; charset=utf-8">
…
</head><body id=ERR_CONNECT_FAIL>
…
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="http://www.google.com/">http://www.google.com/</a></p>
<blockquote id="error">
<p><b>Connection to 10.240.64.11 failed.</b></p>
</blockquote>
<p id="sysmsg">The system returned: <i>(111) Connection refused</i></p>
<p>The remote host or network may be down. Please try the request again.</p>
<p>Your cache administrator is <a href="mailto:root?subject=CacheErrorInfo%20-%20ERR_CONNECT_FAIL&body=CacheHost%3A%20prd-rbs-squid01-poa.rbs.com.br%0D%0AErrPage%3A%20ERR_CONNECT_FAIL%0D%0AErr%3A%20(111)%20Connection%20refused%0D%0ATimeStamp%3A%20Thu,%2018%20May%202017%2018%3A35%3A42%20GMT%0D%0A%0D%0AClientIP%3A%2010.240.64.12%0D%0AServerIP%3A%20www.google.com%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20curl%2F7.29.0%0D%0AAccept%3A%20*%2F*%0D%0AHost%3A%20www.google.com%0D%0A%0D%0A%0D%0A">root</a>.</p>
…
<br>
</div>
<hr>
<div id="footer">
<p>Generated Thu, 18 May 2017 18:35:42 GMT by prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20)</p>
<!-- ERR_CONNECT_FAIL -->
</div>
</body></html>
…
* Connection #0 to host www.google.com left intact
[root at prd-rbs-squid02-poa ~]# telnet 10.240.64.11 80
Trying 10.240.64.11...
Connected to 10.240.64.11.
Escape character is '^]'.
www.google.com.br
…
HTTP/1.1 400 Bad Request
Server: squid/3.5.20
Mime-Version: 1.0
Date: Thu, 18 May 2017 18:36:12 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 4083
X-Squid-Error: ERR_INVALID_REQ 0
…
</head><body id=ERR_INVALID_REQ>
…
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p><b>Invalid Request</b> error was encountered while trying to process the request:</p>
<blockquote id="data">
<pre>www.google.com.br
</pre>
</blockquote>
…
<p>Some possible problems are:</p>
<ul>
<li id="missing-method"><p>Missing or unknown request method.</p></li>
<li id="missing-url"><p>Missing URL.</p></li>
<li id="missing-protocol"><p>Missing HTTP Identifier (HTTP/1.0).</p></li>
<li><p>Request is too large.</p></li>
<li><p>Content-Length missing for POST or PUT requests.</p></li>
…
<li><p>Illegal character in hostname; underscores are not allowed.</p></li>
<li><p>HTTP/1.1 <q>Expect:</q> feature is being asked from an HTTP/1.0 software.</p></li>
</ul>
<p>Your cache administrator is <a href="mailto:root?subject=CacheErrorInfo%20-%20ERR_INVALID_REQ&body=CacheHost%3A%20prd-rbs-squid01-poa.rbs.com.br%0D%0AErrPage%3A%20ERR_INVALID_REQ%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Thu,%2018%20May%202017%2018%3A36%3A12%20GMT%0D%0A%0D%0AClientIP%3A%2010.240.64.12%0D%0A%0D%0AHTTP%20Request%3A%0D%0A%0D%0A%0D%0A">root</a>.</p>
<br>
</div>
<script language="javascript">
if ('[unknown method]' != '[unknown method]') document.getElementById('missing-method').style.display = 'none';
if ('error:invalid-request' != '[no URL]') document.getElementById('missing-url').style.display = 'none';
if ('[unknown protocol]' != '[unknown protocol]') document.getElementById('missing-protocol').style.display = 'none';
</script>
<hr>
<div id="footer">
<p>Generated Thu, 18 May 2017 18:36:12 GMT by prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20)</p>
<!-- ERR_INVALID_REQ -->
</div>
</body></html>
Connection closed by foreign host.
…
[root at prd-rbs-squid02-poa ~]#
[root at prd-rbs-squid01-poa ~]# tail -f /var/log/squid/access.log
1495132516.589 414 10.240.64.12 TCP_SWAPFAIL_MISS/200 11868 GET http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - HIER_DIRECT/162.243.159.138 application/x-redhat-package-manager
1495132525.592 1 10.240.64.12 TCP_MISS/503 4275 GET http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - ORIGINAL_DST/10.240.64.11 text/html
1495132542.412 4 10.240.64.12 TCP_MISS/503 4037 GET http://www.google.com/ - ORIGINAL_DST/10.240.64.11 text/html
1495132572.097 0 10.240.64.12 TAG_NONE/400 4518 NONE error:invalid-request - HIER_NONE/- text/html
^[[A^[[A^C
[root at prd-rbs-squid01-poa ~]#
[root at prd-rbs-squid01-poa ~]#
[root at prd-rbs-squid01-poa ~]#
[root at prd-rbs-squid01-poa ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 1302 packets, 114K bytes)
…
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.240.64.11 0.0.0.0/0 tcp dpt:80
3 180 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.240.64.11:3129
Chain INPUT (policy ACCEPT 300 packets, 26683 bytes)
…
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 14 packets, 983 bytes)
…
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
…
pkts bytes target prot opt in out source destination
14 983 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
[root at prd-rbs-squid01-poa ~]#
[root at prd-rbs-squid01-poa ~]# curl -v http://www.google.com
…
* About to connect() to www.google.com port 80 (#0)
* Trying 172.217.30.4...
* Connected to www.google.com (172.217.30.4) port 80 (#0)
…
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.google.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Location: http://www.google.com.br/?gws_rd=cr&ei=wuodWZinJcmZwgTciKb4Bg
…
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
< Date: Thu, 18 May 2017 18:41:06 GMT
…
< Server: gws
< Content-Length: 262
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: NID=103=WzsmeICIbXNm_Pvj9tvsdijmqA-NgEXXDYt9Oiso971cJhOyXiM3GEjVwZNUxKs4QorVs9P_07jwWkPk6LhbODbhNPdchdTiTpMXh_ZIFpRKDPERbxD3w46bOVl_CngR; expires=Fri, 17-Nov-2017 18:41:06 GMT; path=/; domain=.google.com; HttpOnly
…
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com.br/?gws_rd=cr&ei=wuodWZinJcmZwgTciKb4Bg">here</A>.
…
Rogério Ceni Coelho
Engenheiro de Infraestrutura – Infrastructure Engineer
Diretoria de TI e Telecom - Grupo RBS
Fone: +55 (51) 3218-6983
Celular: +55 (51) 8186-2933 Claro
Celular: +55 (51) 8050-4225 Vivo
rogerio.coelho at gruporbs.com.br
http://www.gruporbs.com.br
Esta mensagem e quaisquer anexos são exclusivamente para o uso da parte endereçada e poderão conter dados privilegiados e confidenciais. Caso o leitor da mensagem não seja a parte a quem ela foi endereçada, nem um representante autorizado da mesma, ficará notificado, por meio desta, que qualquer divulgação desta comunicação é estritamente proibida. Se esta comunicação for recebida erroneamente, por favor, notifique-nos disto imediatamente por e-mail e delete a mensagem e quaisquer anexos a ela de seu sistema.
-----Mensagem original-----
De: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Em nome de Amos Jeffries
Enviada em: quarta-feira, 24 de maio de 2017 18:13
Para: squid-users at lists.squid-cache.org
Assunto: Re: [squid-users] RES: New Squid Server 3.5.20 on Centos 7 - Trying to redirect local web access to Port 80 on Linux Servers with iptables to Squid Server with http_port intercept
On 25/05/17 08:12, Rogerio Coelho wrote:
> On my new Squid Server running 3.5.20 on Centos 7 a try to use in many different ways.
>
> When i use wget or firefox using http_proxy conf web access go ok. But when i try to access web using iptables redirect from Linux Server i got bad request / Invalid URL.
You omitted the squid.conf dump on this post so I cannot be sure but that is the behaviour which happens when use a forward/explicit proxy port (eg 3128) to receive intercepted port-80 traffic.
You need separate http_port lines for receiving these two quite different types of HTTP traffic.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
O Grupo RBS pauta sua atuação por seu Código de Ética e Conduta, em conformidade com a Legislação Brasileira. Qualquer situação irregular deve ser informada via Canal de Ética pelo site https://www.contatoseguro.com.br/gruporbs ou 0800 602 1831. Este e-mail e seus anexos podem conter informações confidenciais. Se você recebeu esta mensagem por engano, por favor apague-a e notifique o remetente imediatamente.
More information about the squid-users
mailing list